| Installing & Configuring IPFilter and TCP
Wrappers
Installing IPF is pretty easy and straightforward, following the
documentation on the website, except for the config files that they seem
to hide in a rather weird directory /etc/opt/ipf. I like to link these
files to the ones in /etc
cd /etc
NOTE:
Remember that the ipf.conf in /usr/kernel/drv is the
configuration data for the module loader and not the ipfilter set of
rules. Also, place all NAT rules into ipnat.conf and not ipf.conf.
If you wish to enable IPF Logging and I would recommend that you
do since it's very handy to have logs etc to track errors and things down
with. If so, edit /etc/rc2.d/S65ipfboot and remove the "#" from the line;
# ipmon -n &
What this does is makes the IPF logging run and reports everything
over to the syslog.
If you wish to make a syslog record the log messages, you also
need to edit /etc/syslog.conf on the relevant syslog host and add the
line;
local0.debug /var/adm/messages
What this does is log every packet that passed through the
firewall. You may need to play around with this if you get a lot of
traffic through your firewall other-words your log files will become huge.
NOTE:
Eric "Loki" Hines has recently written a very nice paper on
setting up a secure remote logging server, which would be perfect. I
personally love to do this since it always gives you another "untouched"
source of your logs. Also, if you think your system has been compromised
you can check your logs against the logging server to see if the one who
compromised your system and/or network has edited anything, which they
didn't want you to know about.
Unix/Linux systems offer a lot of different services to the world around
them. Sometimes hackers or script-kiddies can compromise these services
and grain root on that system or network. This is also brought to mind the
word, 'security', which is one of the most important aspects in computers
now a days. For a reference for newbies and securing a Linux box, check
out my last paper on Locking Down Linux Mandrake. Even if you don't run
Linux,
It's still a good read because it will give you a basic idea of what to
look out for security wise.
Now, most ISPs already provide packet filtering that will stop all
incoming connections to there dialup systems, so if this is the case, all
you have to do is leave the file ipf.conf empty. If you have to setup
you're on packet filtering and I would think that you would want to enable
all outgoing connections and to block any incoming connections. All you
have to do is setup a set of rules for IP Filter for just that. Here is an
example of ipf.conf:
#
To begin using NAT, you will need to creat a NAT configuration file to
begin with. Run the command, touch /etc/opt/ipf/ipnat.conf which should
then create an empty file called ipnat.conf in the location provided. Now,
all you have to do is edit the file and add in your set of rules. Here is
an example of the ipnat.conf file:
#
This file would map all TCP and UDP connections coming from the
10.5.3 network onto a new port with the IP address of the dp0 interface.
The IP address of the dp0 interface is assigned dynamically when the
connection is made.
NOTE:
If you wish to make everything go through NAT, just edit the
10.5.3.0/24 to 0.0.0.0/0.
Basically, TCP Wrappers is a package that "wraps" any daemons that run
from within the inetd.conf file located in the /etc directory to limited
access. You can specify who can have access and who is denied by adding a
certain line into your TCP wrappers config file.
You can download the TCP Wrappers package from the following link: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
Installation of TCP Wrappers is very straightforward and it offers a
choice of either replacing the daemons you wish to "wrap" or modifying the
/etc/inetd.conf file. Think of this as your lucky day because I'm going to
go through step by step on how to install and Configure TCP Wrappers for
Linux :). (yay)
Ok, step one is to first of all, download and save the package to your
system. I prefer to use the "lynx" command in Linux to download certain
type of package etc and save them in my home dir. Here is how I would go
about unpacking the tar.gz file and installing it on my Mandrake Linux
box.
[quackmoo@ph33r]$ lynx ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
NOTE: Once you run the command "make", make sure to follow the
instructions that are on the screen as it will help you. Also, make sure
you read the README before you even try to install the package.
After you have configured your /etc/inetd.conf file it should pretty much
ok like this:
ftp stream tcp nowait root /usr/local/bin/tcpd
usr/sbin/in.ftpd in.ftpd
The above basically means, anyone who connects to either the ftp or telnet
daemon, (incoming) are passed to /usr/local/bin/tcpd so the connections
can be checked against the access control, and if the connection is
allowed, it will be passed onto the appropriate
Daemon.
But first a word of warning, I myself don't run telnet anymore, since the
leak of the
telnetd exploit. (Check out the telnetd advisory by cert.org at the
following address: http://www.cert.org/advisories/CA-2001-21.htmlScript-Kiddies
have been going around attacking any hosts that runs
the telnetd daemon and gaining root for either personal gain, or revenge
on a sysadmin
or even a friend. I would suggest that you comment out the telnet daemon
in the
/etc/inetd.conf file and get ssh installed. Also, since I'm so nice, I
have decided
to go through the setup on ssh in dept as well.
[quackmoo@ph33r]$ tar -zxvf ssh-2.4.0.tar.gz
Now that you have ssh installed, you will want to 1) create a public and
private key that can be used. For this, we run ssh-keygen2 that comes with
ssh-2.4.0. Just issue the command "ssh-keygen2" at the command prompt and
follow the instructions on screen.
NOTE: The following example was taken from a text file written
by a Markus T. Delves. Mr. Delves has also written many HOWTO files and
the most famous "Armoring FreeBSD" which has been circling around the BSD
community for some time now. Check out this excellent paper at: http://www.daemonnews.org/200102/armoring.html
Even if you don't run BSD, or any type of unix, Os, I recommend reading
his paper as it gives you a great idea of what to look out for in bsd,
security-wise.
[quackmoo@ph33r]$ ssh-keygen2
Once the DSA keys are generated you will want to create an identification
file for yourself.
[quackmoo@ph33r]$ cd ~/.ssh2
Next, you will want to copy your public key to your remote host and put it
in your ~/.ssh2 directory. Call it anything you wish. For example, I
called mine quack.pub.
[meow@ph33r]$ mv ../id_dsa_1024_a.pub quack.pub
Next, you'll need to create an authorization file on your remote host so
that
the remote host knows which keys are available for it to use when you
login.
[meow@ph33r]$ echo "Key quack.pub" >> authorization
Next, you will want to test it all out, so get back on your local system
and
try logging in to the remote host which you setup the authorization file.
It should look something like this:
[quackmoo@ph33r]$ ssh2 -l oink.example.com
Enter your pass phrase, and your done.
The example above was excatly what I did to get ssh-2.4.0 fully installed
and running on my Linux box. To use ssh, you can just use the command(s)
ssh or ssh2 at your command prompt. Here is a quick example of how to use
ssh2 and sftp.
[quackmoo@ph33r]$ ssh2 -l ph33r oink.example.com
or when using the ssh2 command, just replace the "ssh" with "ssh2". Also,
sftp is included in the package and is just as handy. It replaces ftp and
is another daemon I use instead of ftp. To use this command, just issue
"sftp" at the command prompt.
[quackmoo@ph33r] sftp -l ph33r meow.example.com
Once logged in to your sftp account on your remote host, don't worry about
the commands. If you know how to use ftp, the commands are pretty much
the same.
Ok, now that you have both, tcp wrappers and ssh installed on your
local system, let's get onto configuring the TCP wrappers so allow
and deny connections. Ok, lets deny all incoming connections to your
system so that only certain users can login.
[quackmoo@ph33r]$ su
You can use any editor for this, be it vi, emacs or pico, anythings
good :). Next, add in the following lines so that /etc/hosts.deny
look like this:
ALL : ALL
This is known as a "catch-all" as it catches all incoming connections
and blocks them. Ok, you want to specify which connections are
allowed in. Pick your favorite text editor and etc /etc/hosts.allow.
Here is a typical example for the use of TCP Wrappers:
So you're very paranoid about security, who isn't these days and
you just got TCP Wrappers installed along with ssh. Your friend,
who has account from his home to your system is going away from
the weekend and is staying at his Aunts house while his parents
are going away on holiday. All you have to do is ask your friend,
once he arrives at your aunt's house to get her static IP
address and email it over to you. Next you will edit the
/etc/hosts.allow file and add in the following line to
allow his Aunts home computer to connect to your system
allowing him to login.
ALL : 194.145.128.14
This basically means that you are allowing all connections
from the address, 194.145.128.14. This is exactly what
you want so that your friend can login from his Aunts computer.
Remember to keep an eye on your logs as they can provide
crucial information on whose logging in and out of your system.
Alan Neville claims to be nothing more then simply a computer geek. He has
only been interested
in computer over the last 2 years, and in them 2 years has been
introduced to the cyber
world, known only as 'The Internet'. While trying to keep a grasp on what
is happening in
the security world, he struggles to meet the standards in school and hold
up his personal
life. He enjoys experimenting with computers in his room late at night
and loves having
conversations with anyone half way across the world ;). He can be
contacted at
ph33r@isiclabs.org for any questions or suggestions you may have on this
paper.
Alan Neville
|
|||||||